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BEST AVAILABLE IMAGES 

Defective images within this document are accurate representations of 
the original documents submitted by the applicant. 

Defects in the images may include (but are not limited to): 

• BLACK BORDERS 

• TEXT CUT OFF AT TOP, BOTTOM OR SIDES 

• FADED TEXT 

• ILLEGIBLE TEXT 

• SKEWED/SLANTED IMAGES 

• COLORED PHOTOS 

• BLACK OR VERY BLACK AND WHITE DARK PHOTOS 

• GRAY SCALE DOCUMENTS 



IMAGES ARE BEST AVAILABLE COPY. 



As rescanning documents will not correct images, 
please do not report the images to the 
Image Problem Mailbox. 
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Process 
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Event Name 


Constttuent Hvent Types 


Pattern 


Scooe 


FrieScitad 


RieRead. RleWnre, RlefiaadWrita 


Same processld and flieHandle. 

daforertasn of first raad 4 arterHash of last wnia differ. 

Both toads and wntas to same Ria Handle. 

Sum of wmes > 0. 


Thread 


RleCooied 


RieRead. ReWrita. RieReadWnta. 
RfeCopy 


Command shell: Alternating reads & writes. The reads ail have one 
fltanandle. the writes all have a second one. 

Explorer A long series of reaos from one tilenandle rollowed by a 
iong series of writes to & second. Mind the time period between. 

In both cases, the target device must not oa removable. 


Threac 


RlaSaveAs 


RieRead. RieWma. RieReadWma 




Process 


RleLoftTTsrougnRemovableMedia 


RieRead. RieWnte. FfleReadWrtta, 
File Copy 


Same as RieCopied or FTIeSaveAs. but target device is removaaie. 


Process 


ClipooardToFlis 


CiipcaardCutCcoy. CiipbcardPaste 


Pair a ClioboardCutCopy with all subseauent ClioooardPaste 
events tor mat user login unril the next copy or the user Jogs oul 

Problem: If the user doses the acpUcation that performed tne copy 
and the coiect was large and the user opts not to Keep it there, 
wnat nappens? 


Login 


PrintFlie 


Print, possibly others 


Unclear. If there are temp files, intermediate PDF files, etc, tn en we 
may perform a cnajn cf custody analysis to figure out just vvnat was 
printed. 


Thread 


BumMastar 


rile Read. Rle Write 


An apo known to oum files reaos one or more fifes tnen writes a 

roe. 




BumFila 


CDWrite. FtieRaad 


Application is recogrezeo as a CO writing aop. (Optional) 

Series of Rie Reaos from one file Handle, followed by a series of 
COWnte events with the same process. May need to compare 
filenames, otherwise one read wiil exnaust all the wntas. 
Alternately, aO read files are fumoed together wtn cne large oum 
event. Cr pemacs the first read cf a new file after the fast read horn 
the previous file is the start of the next bum event. 


Process 


RieLetYThroughNerworkPort 


RieRead. 

TCPIP Inbound, TCPIPOutbound, 
UDPfnbound. UDPOutbound. 
IPSSCfnoound. IPSECOutbound 


An overlapping srream of RieReaas interspersed with inbound and 
Outbound network everrrs. 

AJi tne network events should oe for the same son (?) and to a 
oBstirtation NOT on locaihost. 

Ail tne natworx events shoufc be for tna same protocol. 


Thread 



1 ^tJ 
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Conartftuem Event Typea 


Pattern 




Ernailrfle 


RteRead. 

TCP!PlnDOunC TCPlPCufflound. 
{other protocols???) 


Similar to P^LflttThro^hNetworkPorT. Comoines all imenaaving 
RieReaos wan me network events. 

The acpficanon image nam* is one of those known to be an email 
prcgram. 

Mav place constraints on tna pons, since many ems i lens t-s» 
certain well defined pans for SMTP. POP ate 


Process 


InstarsMassangar 


FtleRead. 

TCPlPtnocund. TCPlPOutDOund. 
(otnsr prcrtoccis???) 


Similar to RteLeftThroughNetwcrxPort. Combines all interleaving 
RiaPaacs with the network evens. 

The aotJiicaticn image name is one of tnoso known to ba used for 
Instant Messenger. 

May place constraints on tna pens. 


Process 


P2PApp 


RleRead. 

TCPlPlnbound. TCP IPO tittcund. 
UDPtneound. UDPOumcund. 
iPSSCintJOund. iPSECOutoaund 


Constrain tna accusation name to ba one of mosa known to oe a - 

P2PACP- 

.Muitiwo ports wifl ce used: seme or ail ct tnem may nave 
constraints. 

May constrain the orctccci per app or per «nsianca. 

Similar to RleLeftThroughNerworkPort as concams interleaved file 
reaps. „ . . — ■ 


Process 


FTPFiie 


FlieRead. HleWrrte. 
m (TCPtPlnDOunci. 
TCPtPOutDound) 


May want to SO fit into rwo events, one for reading and one tor 
writing. 

•Constrain to Ste common FTP pent, unless the acp «s Known by 
name to be an FT? dienL 

Uke RleLattThroughwetworxPcrt look for intanaavec reads and 
nerwork evens, ortntaneaved wmes and nerwork events. 


Process 


PemctaAccass 


TCPtPinoound, TCPIPOuasound, 
UOPindound. UDPOuttound. 
IPSEClnocund. IPSECOumound 


Do not incarcerate RaRead events. 

Several sens may be used. 

Look for known image names ci remote aces. 


Process 


TunnelGut 


TCPl P inbound. TCP IPQuaound. 
UOPlnccund. UDPOu&ound. 
iPSEC'noound. IPSECOutoaund 


AD events use same protocol. Only wo processes used. 
Two dilfaren: apes and four pens are used. One of me ports rs 
remote. 

Event i: The first sop sends cutDound from local port l to local port 

Event 2: The second aop (tna turmeier) receives inocund from locai 
pon t to locai cart 2. . 
Event 3: Tne iynneleralso sends from local con 3 to remote son: *. 
..Botn events ct the tunnaier snare the same tnread (probaoiy). 


Login 


Tun net In 


TCPlPlnbound, TCPtPOutoound. 
UDPInbcund. UDPOutccund. 
IPSEClnoound. IPSECOutDound 


All events use same protocol. Cray two crocesses used. 

Txa effterem apes and four cons are used. One of tne pens is . 

remain. 

Event 1: The first app (the tunnaier) receives inoound tram remote 
port i to local pon 2. 

Event 2: Tne tunnaier sends outDound from local port 2 to local 
pert 3. _ 
Event 3: The second acp also receives inbound from local port 3 to 
local port <i. 

3cth events ct me runneier snare tne same thread <pracaory>. 


Login 


TunnalinQui 


TCPlPlnbound. TCPlPOutcound. 
UDPifidcund. UDFCutbound. 
IFSECInocund. IPScCQutCcund 


Multiple protocols may oe used. More research needed- More tram 
three pons are used. 


Log-.n 
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Constituent Event Typos 




Sccoe 




MlaRoad. TunnoiOut 


SmOar to FtoUftThnaugnNBtvorkPoa Combines all Smarm aving 
rJioReads irr»/orvtng a process tnal is oarticipaflng in a TunnerQut 
event. 

tf mora than one Hie is read, mo source aasonation v«JI be a court 
of trte files read. 


Login? 
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